when our user-agent runs inside docker, it would be nice to restrict the resource usage.
We had at least two rogue user-agents in the past.
And we should make sure that a rogue process does not affect the whole platform

the manpage of docker-run says we can restrict memory with

 -m, --memory=""
Memory limit (format: <number><optional unit>, where unit = b, k, m or g)

Restricting CPU might not be as straight forward.
the -c option only controls the cpu sharing between different containers. But they will
use up 100% altogether if they want to. And I even think thats what they should do.
I don't know if we should confine every individual container.
It should be possible by setting cpu-quota for the cfs. But then we need to know how many cpu's are
present before starting the container. I have a feeling that this might become to hardware dependent.
Lets start with memory and see what happens.
@shyba: Can we trigger a rogue user-agent ?

I created a new user on staging after installing latest pixelated-dispatcher.
But docker inspect says memory is not restricted? And I don't know why.

It seems the kernel is too old to support memory restrictions:

docker run -t -i -m 20m debian:latest uptime
WARNING: Your kernel does not support memory limit capabilities. Limitation discarded.
 09:08:36 up 5 days, 11:09,  0 users,  load average: 0.32, 0.14, 0.08

The kernels in wheezy and jessie don't support memory limits. The kernel in jessie-backports (4.2.0 at the time of writing) does not auf aufs support and therefore does not support docker. We don't want to build our own kernel so we are stopping this issue for now.

docker works with debian kernels from jessie-backports if you start docker with

--storage-driver=overlay

I have docker working with this in /etc/default/docker, but I don't have any dispatcher running...